Threat Research | Weekly Recap [07 Jun 2026]

#Shai-Hulud #Miasma #Bun #RedHatCloudServices #MiniShai-Hulud #FamousChollima #UNC3753 #LunaMoth #Vect #TheGentlemen #Aspose #VerdantBamboo #UNC5221 #BRICKSTORM #AGENTPSD #PLENET #CVE-2026-0257 #YellowKey #GreenPlasma #MiniPlasma #ClickFix #CastleLoader #PureLogs #JS.MonoGlyphRAT #Havoc #NF-e #TaxShadow #XENOFISCAL #XenoRAT #C0XMO #Gafgyt #Gamaredon #GammaLoad #GammaSteel #GammaPhish #GammaWorm #OperationFlutterBridge #FlutterShell #BlueWallet #Argamal #TA4922 #BlindEagle #Handala #BRICKSTORM

Supply Chain Compromises

• PyPI compromise in the Shai-Hulud/Miasma line used startup hooks to launch a Bun-based stealer and exfiltrate developer secrets to GitHub — Shai-Hulud Descends to Hades
• Red Hat Cloud Services npm packages were backdoored with install-time credential theft and possible propagation via stolen npm access — 32 Red Hat npm packages backdoored in 72 seconds
• A smaller Mini Shai-Hulud wave hit Red Hat npm packages, targeting GitHub Actions, cloud creds, Vault, and SSH keys — Mini Shai-Hulud Campaign Hits Red Hat Cloud Services
• Compromised Packagist development code used a malicious loader to fetch encrypted payloads tied to Famous Chollima activity — Famous Chollima Targets PHP Developers
• GitHub Actions remains a high-value target as supply chain intrusions continue across projects like Nx, Trivy, KICS, and LiteLLM — The case for GitHub Actions security

Ransomware, Extortion, and Data Theft

• UNC3753 / Luna Moth ran vishing-led extortion against U.S. legal and financial firms using RMM tools and data leak pressure — Seeking Counsel
• Vect ransomware emerged with affiliate recruitment, broad cross-platform reach, and wiper-like destructive behavior — Dark Web Profile: Vect Ransomware
• The Gentlemen ransomware tradecraft centered on double extortion, GPO abuse, and encrypted exfiltration — Emulating the Gentlemen Ransomware
• An espionage campaign quietly exfiltrated a stock exchange executive’s Outlook mailbox over months using cloud storage and an Aspose-based stealer — Stock Exchange Executive for Five Months

Cloud, Identity, and Supply-Chain Intrusions

• VerdantBamboo / UNC5221 abused firewall and appliance access to maintain persistence with BRICKSTORM, AGENTPSD, and PLENET — VerdantBamboo: Just Another BRICKSTORM in the Firewall
• An unauthenticated MCP server enabled SSRF, LFI, and AWS credential theft from exposed internal tooling — How an Unauthenticated MCP Server Led to SSRF, LFI, and AWS Credential Theft
• TeamPCP and related supply-chain activity reinforced the risk of rapidly weaponized developer and CI/CD ecosystems — Security briefing: May 2026

Exploitation of Public-Facing Systems

• PAN-OS CVE-2026-0257 is under active exploitation against GlobalProtect portal and gateway components — Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257
• Chaotic Eclipse disclosed three Windows zero-days: YellowKey, GreenPlasma, and MiniPlasma, with PoCs published quickly after Patch Tuesday — Inside the Latest Chaotic-Eclipse Releases
• An agentic threat actor automated container escape and Kubernetes secret theft via CVE-2026-39987 in marimo — Agentic threat actor hits the orchestration plane

Phishing, Loader, and RAT Campaigns

• ClickFix used typosquatted job sites, the Finger protocol, and Windows utilities to deliver CastleLoader and a Python RAT — ClickFix Is Now Hiring
• PureLogs was delivered through a fake purchase-order lure and used in-memory loading to steal browser, Discord, crypto, and app data — Phishing Campaign Deploys JavaScript-Driven PureLogs Variant
• JS.MonoGlyphRAT abused purchase orders and proposals to establish persistence and load additional payloads — From Fake Purchase Orders to Remote Access
• A Havoc stager hid behind a Brazilian NF-e lure and delayed loading the final implant until runtime — The Demon Arrives Later
• Operation TaxShadow used tax-themed phishing, DLL hijacking, and in-memory malware with WebSocket C2 — Operation TaxShadow
• Operation XENOFISCAL targeted Afghanistan’s Ministry of Finance with a persistent XenoRAT loader chain — Operation XENOFISCAL

Botnets, Worms, and Cross-Platform Malware

• C0XMO, a modular Gafgyt variant, spread across routers, Linux, and IoT with DDoS and exploitation features — Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO
• Gamaredon continued its multi-stage GammaLoad, GammaSteel, GammaPhish, and GammaWorm chains against Ukraine — GammaPhish and GammaWorm
• Follow-on analysis detailed GammaLoad persistence, registry-cached C2, and abuse of Telegram and Cloudflare infrastructure — GammaLoad
• GammaSteel added fileless PowerShell theft, USB propagation, and dead-drop recovery for covert exfiltration — GammaSteel
• Gamaredon and Turla showed operational overlap in a 2025 espionage alliance targeting Ukraine — Gamaredon x Turla

Malvertising, Mac, and Consumer Malware

• Operation FlutterBridge used Google Ads and lookalike apps to deliver the FlutterShell backdoor on macOS — Operation FlutterBridge
• A fake BlueWallet site tricked Mac users into running an AppleScript implant that stole logins, wallets, and clipboard data — Fake BlueWallet steals passwords
• Argamal hid inside trojanized hentai games and torrents to install a backdoor and later deploy a RAT — Argamal: Malware hidden in hentai games

Regional, Sector, and Actor Activity

• TA4922 expanded globally with payroll, tax, and invoicing lures while using RATs, sideloading, and cloud hosting — TA4922: Going Global
• BlindEagle continued phishing-led theft of banking and government data across Latin America and the U.S. — Dark Web Profile: BlindEagle
• Handala branding was expanded to blend cyber, physical, and influence operations against U.S. and Israeli interests — Iran Expands Handala Brand to Physical Threats

Defensive Readiness and Recovery

• Backup jobs can appear green while still failing recovery windows, making restore testing and latency governance critical — Backup operations at scale

Threat Research | Weekly Recap – hendryadrian.com